SSL

From My Wiki
Jump to navigation Jump to search

OpenSSL

Get Certificate Information

From a Local File

Basic information for verifying a cert: 

cat cert.crt  | openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

CentOS 7 has an older version installed that doesn't support the -ext flag, but cPanel servers may have ea-openssl11 installed with an alternate binary path: 

cat cert.crt | /opt/cpanel/ea-openssl11/bin/openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

Decode everything: 

openssl x509 -in cert.crt -text -noout

From a Remote Certificate

openssl s_client -connect example.domain.com:443 -showcerts -CApath /etc/ssl/certs/ </dev/null

Don't show the CA certs: 

openssl s_client -connect example.domain.com:443 -CApath /etc/ssl/certs/ </dev/null

Just show cert names, issuer, and dates: 

openssl s_client -connect example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

If SNI is involved: 

 openssl s_client -servername example.domain.com -connect  example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

When testing STARTTLS: 

echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587

Test a Protocol

openssl s_client -connect example.domain.com:443 -tls1_3

You can go all the way down to TLS 1.0 (SSLv3 is so old it's not supported anymore): 

openssl s_client -connect google.com:443 -tls1

CSRs

Decode an existing CSR:

openssl req -in mycsr.csr -noout -text

Generate a CSR

First, generate a private key in a secure dir with secure permissions. To do: Add instructions for generating domain.com.key

Second, generate the CSR itself which is paired with that key:

openssl req -new -nodes -key  /path/to/domain.com.key -out domain.com.csr

Then fill in the order form. You'll need to save the Challenge Password if you'll want to use PKCS#12/PFX format for the cert.

If you need a SAN

Here are instructions for generating a CSR with a 4096 bit RSA key and a SAN subdomain (a second domain name should work too). You need to enter the whole block at once. 

openssl req -new -sha256 -nodes -out \*.$domain.com.csr -newkey rsa:4096 -keyout \*.$domain.com.key -config <(
cat <<-EOF
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=$state
L=$city
O=$company name
OU=$company unit
emailAddress=$email@domain.com
CN = www.$domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = $domain.com
DNS.2 = $whatever.$domain.com
EOF
)

Convert SSL Files

PFX/PCKS12 to PEM (you'll need the password that was used with the CSR): 

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

PEM to PFX/PCKS12: 

openssl pkcs12 -export -out cert.pfx -inkey /path/to/privateKey.key -in cert.pem -certfile CACert.pem
Retrieved from "https://wiki.whatplanetisthis.net/index.php?title=SSL&oldid=124"